A public consultation is currently ongoing on a draft bill for the introduction of mandatory notification of ICT breaches in vital sectors (name of proposed legislation in Dutch: Wet melding inbreuken elektronische informatiesystemen). The consultation opened on 22 July 2013 and will terminate on 17 September 2013. The draft bill does not provide for the imposition of sanctions.
The notification duty will only apply to providers of products or services whose availability or reliability are of vital importance for Dutch society (i.e. in sectors such as electricity, gas, water, telecommunications, finance, government and transport) and where the breach in question will or may have a significantly negative effect on the availability or reliability of the relevant product(s) or service(s). The duty will apply with respect to elements of vital infrastructure the breakdown of which would directly or indirectly lead to social disruption. The providers who will be subject to the duty will be designated by general administrative order (algemene maatregel van bestuur).
The relevant providers will include energy network managers, drinking-water companies, telecommunication companies, surface-water management bodies, banks, the operators of the port of Rotterdam (Havenbedrijf Rotterdam) and Schiphol airport (NV Luchthaven Schiphol), and the body responsible for air traffic control in the Netherlands (Luchtverkeersleiding Nederland). In the case of providers of certification services, a different system for the notification of ICT breaches will be put in place.
Notifications must be made to the Minister of Security and Justice immediately, and will be handled by the National Cyber Security Centre (NCSC), which forms part of the ministry. The purpose of the notification duty is to enable the NCSC to assess the risks posed by a breach and to assist the provider affected by the breach, with the ultimate aim of preventing or limiting any social disruption. The information notified may also be used for advice and communications to other providers in vital sectors and the public at large. For example, a warning can be issued about the risks posed by a method of operation used by internet criminals, or recommending that a particular product or service not be used until further notice.
The notification shall in any event include:
- the nature and extent of the breach (of security) or the loss (of integrity of an information system) that will or may have a significantly negative effect on the availability or reliability of the relevant product(s) or service(s);
- the time of commencement of the breach or loss;
- the possible consequences of the breach or loss;
- a prognosis of the time it will take to remedy the breach or loss;
- if possible, the measures taken or to be taken by the provider in order to limit the consequences of, or prevent a repetition of, the breach or loss;
- the contact details of the officer based in the Netherlands who is responsible for giving the notification.
If so requested, a provider that has given a notification shall immediately provide the Minister with all other information that is necessary for the purpose of:
- assessing the risks to the availability or reliability of the product or service;
- assisting the provider with the taking of measures to secure or restore the availability and reliability of the product or service.
The NCSC will not be supervising compliance with the notification duty and will not have any powers of enforcement. Its primary role will be to offer assistance. The NCSC can, however, inform the authorities with competence in the relevant sector if it appears that there has been an intentional lack of compliance with the notification duty. Such authorities can then decide whether or not the non-compliance is reason for them to adopt a stricter supervision of that sector. If it turns out that there is insufficient compliance with the notification duty, it may be decided to arrange for a system of supervision and enforcement.
Click here for (in Dutch):